Consumer Routers Report Concludes: It's a Market of Lemons

A new study into the state of consumer routers by Carnegie Mellon University researchers is unsparing in its criticism: It's a market of lemons, and virtually all of the test models have security problems.

That won't come as news to those in computer security, but it underscores the increasing warnings about the internet of things, the catch-all term for computer devices with internet connectivity.

"The sheer volume of vulnerabilities in routers demands a new approach."

The researchers knew they were heading into a well-trod area, but they hoped their study "may provide clear metrics" about the 'lemon market' effect." That's the term for how quality products disappear from a market, driving down prices and quality.

The sheer volume of vulnerabilities in routers demands a new approach, one that could more tightly watch router manufacturers and "help form a clearer picture of how different vendors and products measure up," says the study, which was funded by the U.S. Department of Defense.

"By de-emphasizing the number of vulnerabilities and focusing on vendor responsiveness and the availability of fixes, clear metrics could emerge to disperse the 'lemon market' effect," they write. "A bug tracking solution might provide an off-the-shelf capability to support such a database."

Carnegie Mellon researchers analyzed 13 routers from major manufacturers including Belkin, Huawei, Motorola, Netgear and Apple, between 2014 and 2015. The study was released this month.

Slow Vendor Response

When vulnerabilities were found in products, Carnegie Mellon contacted the manufacturers, giving them 45 days to work on the issue before publicly releasing the details. But vendors responded slowly, if at all.

For example, the study found several issues with Securifi's Almond router, including that it was vulnerable to clickjacking, cross-site request forgery and, in one older model, didn't deliver firmware updates over HTTPS. The firmware delivery was fixed in the 2015 model.

Securifi was "quick to respond" and said it would release an update within 45 days. Although the company provided the Computer Emergency Readiness Team/Coordination Center which is based at Carnegie Mellon, with the update, it never explicitly announced the update on its website. The update also wasn't listed as the latest one on Securifi's support website or on the router's update interface.

The researchers also found that a separate model of router made by Securifi "was identically vulnerable to the findings affecting the Almond."

"This discovery illustrates a greater 'whack-a-mole' problem in CPE [customer-premises equipment] router vulnerability coordination; vendors rarely do their due diligence in assessing the rest of their product line when they fix issues," the study says. "New products are vulnerable to the same classes issues affecting the old products, and even when updates are produced, there are insufficient efforts to ensure distribution to users."

The notification problem is also illustrated by Carnegie Mellon's interaction with Belkin, whose N600DB router was analyzed.

A full report on vulnerabilities was sent to Belkin on July 17, 2015. CERT/CC didn't reach someone who acknowledged the report until more than three weeks later. CERT/CC never heard from Belkin again and published its report after 45 days. Belkin released an update to fix the issues in May 2016, the study says.

Regulators Interested

Router manufacturers, however, may not get off so easily in the future. The emergence of the Mirai botnet, which infected DVRs, CCTVs and tens of thousands of Deutsche Telekom routers, called attention to insufficiently protected IoT devices (see Mirai Botnet Pummels Internet DNS in Unprecedented Attack).

In January, the U.S. Federal Trade Commission filed a five-count complaint against D-Link in federal court in San Francisco. The regulator contends that D-Link marketed its IP cameras and routers to consumers as secure when the products were not, a violation that constitutes unfair trade practices. D-Link called the charges unwarranted and baseless (see FTC vs. D-Link: A Warning to the IoT Industry).

The new study suggests that a public database of router vulnerabilities may be one solution to help clean up the industry. Bug reports could be left for open comments, allowing for alternative validation and providing a clearer picture on how vendors are dealing with issues.

"Following widely accepted disclosure practices, a vendor would be given 45 days to respond to vulnerability reports," it says. "After the 45 days, the report would be added to a public database."

Media reports can occasionally spur action by vendors seeking to keep their reputation intact. But "coordination can be a time-consuming process whose results are lost in the sheer volume of disparate cases," the study says.

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.